AzureAD · trwalke · Mar 17, 2025 · Mar 7, 2025 · Mar 12, 2025 · Mar 12, 2025
@@ -48,6 +48,7 @@ internal static class Constants
         public const string ManagedIdentityDefaultTenant = "managed_identity";
         public const string CiamAuthorityHostSuffix = ".ciamlogin.com";
         public const string CertSerialNumber = "cert_sn";
+        public const string FmiNodeClientId = "urn:microsoft:identity:fmi";
 
         public const int CallerSdkIdMaxLength = 10;
         public const int CallerSdkVersionMaxLength = 20;

@@ -1,3 +1,4 @@
+Microsoft.Identity.Client.TokenCacheNotificationArgs.NoDistributedCacheUseReason.get -> string
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
 Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
-static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
@@ -1,3 +1,4 @@
+Microsoft.Identity.Client.TokenCacheNotificationArgs.NoDistributedCacheUseReason.get -> string
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
 Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
-static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
@@ -1,3 +1,4 @@
+Microsoft.Identity.Client.TokenCacheNotificationArgs.NoDistributedCacheUseReason.get -> string
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
 Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
-static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
@@ -1,3 +1,4 @@
+Microsoft.Identity.Client.TokenCacheNotificationArgs.NoDistributedCacheUseReason.get -> string
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
 Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
-static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
@@ -1,3 +1,4 @@
+Microsoft.Identity.Client.TokenCacheNotificationArgs.NoDistributedCacheUseReason.get -> string
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
 Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
-static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
@@ -1,3 +1,4 @@
+Microsoft.Identity.Client.TokenCacheNotificationArgs.NoDistributedCacheUseReason.get -> string
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
 Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
-static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
@@ -5,6 +5,7 @@
 using System.Collections;
 using System.Collections.Generic;
 using System.Threading;
+using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.TelemetryCore.TelemetryClient;
 using Microsoft.IdentityModel.Abstractions;
 
@@ -40,13 +41,13 @@ public TokenCacheNotificationArgs(
                    hasTokens,
                    suggestedCacheExpiry,
                    cancellationToken,
-                   default, 
-                   default, 
+                   default,
+                   default,
                    default,
                    null,
                    default)
-            {
-            }
+        {
+        }
 
         /// <summary>
         /// This constructor is for test purposes only. It allows apps to unit test their MSAL token cache implementation code.
@@ -61,7 +62,7 @@ public TokenCacheNotificationArgs(
             bool hasTokens,
             DateTimeOffset? suggestedCacheExpiry,
             CancellationToken cancellationToken,
-            Guid correlationId)       
+            Guid correlationId)
            : this(tokenCache,
                    clientId,
                    account,
@@ -76,7 +77,7 @@ public TokenCacheNotificationArgs(
                    default,
                    null,
                    default)
-        { 
+        {
         }
 
         /// <summary>
@@ -92,10 +93,10 @@ public TokenCacheNotificationArgs(    // only use this constructor in product co
             bool hasTokens,
             DateTimeOffset? suggestedCacheExpiry,
             CancellationToken cancellationToken,
-            Guid correlationId, 
+            Guid correlationId,
             IEnumerable<string> requestScopes,
             string requestTenantId)
-            
+
         {
             TokenCache = tokenCache;
             ClientId = clientId;
@@ -145,7 +146,7 @@ public TokenCacheNotificationArgs(    // only use this constructor in product co
             SuggestedCacheExpiry = suggestedCacheExpiry;
             IdentityLogger = identityLogger;
             PiiLoggingEnabled = piiLoggingEnabled;
-            TelemetryData = telemetryData?? new TelemetryData();
+            TelemetryData = telemetryData ?? new TelemetryData();
         }
 
         /// <summary>
@@ -255,5 +256,21 @@ public TokenCacheNotificationArgs(    // only use this constructor in product co
         /// Cache Details contains the details of L1/ L2 cache for telemetry logging.
         /// </summary>
         public TelemetryData TelemetryData { get; }
+
+        /// <summary>
+        /// Determines whether the client application authentication instance is classified as an FMI (Federated Managed Identity) node under a specified RMA (Resource Managed Authority).
+        /// </summary>
+        public string NoDistributedCacheUseReason
+        {
+            get
+            {
+                if (ClientId.Equals(Constants.FmiNodeClientId))
+                {
+                    return "The currently provided client id indicates that this is a RMA (Resource Managed Authority) node client. RMA node clients should not use a distributed cache, please use an in memory cache instead.";
+                }
+
+                return string.Empty;
+            }
+        }
     }
 }
@@ -219,6 +219,7 @@ public static HashSet<string> s_scope
 
         public const string Bearer = "Bearer";
         public const string Pop = "PoP";
+        public const string FmiNodeClientId = "urn:microsoft:identity:fmi";
 
         public static IDictionary<string, string> ExtraQueryParameters
         {

@@ -533,5 +533,49 @@ public async Task TokenCacheSerializationArgs_UserCache_TenantIdScopes_Async()
 
             }
         }
+
+        [TestMethod]
+        [DataRow(TestConstants.ClientId)]
+        [DataRow(TestConstants.FmiNodeClientId)]
+        public async Task TokenCacheSerializationArgs_AppCache_IsFmiClientNode_Async(string clientId)
+        {
+            using (var harness = CreateTestHarness())
+            {
+                // Confirm that NoDistributedCacheUseReason is correct
+                // Arrange
+                var cca = ConfidentialClientApplicationBuilder
+                    .Create(clientId)
+                    .WithClientSecret(TestConstants.ClientSecret)
+                    .WithHttpManager(harness.HttpManager)
+                    .BuildConcrete();
+
+                var appTokenCacheRecoder = cca.AppTokenCache.RecordAccess((args) =>
+                {
+                    Assert.AreEqual(clientId, args.ClientId);
+                    if (clientId.Equals(TestConstants.FmiNodeClientId))
+                    {
+                        // string should not be null or empty
+                        Assert.IsTrue(!string.IsNullOrEmpty(args.NoDistributedCacheUseReason));
+                    }
+                    else
+                    {
+                        // string should be null or empty
+                        Assert.IsTrue(string.IsNullOrEmpty(args.NoDistributedCacheUseReason));
+                    }
+
+                    CollectionAssert.AreEquivalent(TestConstants.s_scope.ToArray(), args.RequestScopes.ToArray());
+                });
+
+                harness.HttpManager.AddAllMocks(TokenResponseType.Valid_ClientCredentials);
+
+                // Act - Client Credentials with authority override
+                await cca.AcquireTokenForClient(TestConstants.s_scope)
+                    .WithTenantId(TestConstants.TenantId2)
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                appTokenCacheRecoder.AssertAccessCounts(1, 1);
+            }
+        }
     }
 }